WordPress Sites Delivering Ransomware

A large number of websites that run on the WordPress content management system are being hacked to deliver the Teslacrypt ransomware package, which encrypts user files and demands a hefty ransom for the decryption key needed to restore them.

Malwarebytes Senior Security Researcher Jérôme Segura wrote: "WordPress sites are injected with huge blurbs of rogue code that perform a silent redirection to domains appearing to be hosting ads. This is a distraction (and fraud) as the ad is stuffed with more code that sends visitors to the Nuclear Exploit Kit."

According to website security firm Sucuri, the code takes pains to infect only first-time visitors. To further conceal the attack, the code redirects end users through a series of sites before delivering the final, malicious payload.

It is not known how the sites are becoming infected, but it is possible that site administrators are not locking down login credentials that allow the hacker to change content. However, the website malware installs a variety of backdoors on the webserver, a feature that's causing many hacked sites to be repeatedly reinfected.

People running WordPress sites should take time to make sure their servers are fully patched and locked down with a strong password and two-factor authentication.